Is DORA a directive or a regulation?

DORA is an EU regulation, not a directive. This is an important distinction: a regulation applies directly and uniformly across all EU member states without requiring national implementing legislation. The term "DORA directive" is therefore technically inaccurate, though it is sometimes used colloquially.

When did DORA take effect?

The DORA regulation entered into force on January 17, 2023, and has been fully applicable since January 17, 2025. As of that date, all affected companies are required to comply.

Which companies are affected by DORA?

Affected companies include banks, insurance providers, payment service providers, investment firms, and other financial service providers operating within the EU – as well as critical ICT third-party providers that deliver services to these companies, such as cloud providers or managed security service providers (MSSPs).

What is the difference between DORA and NIS-2?

NIS-2 applies across all sectors to critical infrastructure in the EU, while DORA is specifically tailored to the financial sector and includes more detailed requirements for ICT risk management, third-party oversight, and resilience testing. Companies may be subject to both regulatory frameworks. However, DORA is considered a lex specialis and supersedes NIS-2 where it contains more specific rules – that is, for all financial entities.

What happens if a company fails to comply with DORA?

The competent national supervisory authorities may impose sanctions for violations of DORA compliance. Financial firms face fines of up to 2% of their global annual turnover. For critical ICT third-party providers, the European Supervisory Authorities (ESAs) can intervene directly and impose periodic fines (for up to six months) of up to 1% of global daily turnover.

How can financial companies implement DORA IT security?

The first step is a gap analysis of existing ICT security measures. Companies then need to establish any missing processes – such as incident management, penetration testing, and ICT third-party governance. Qualified MSSPs like Myra Security can provide support as a compliant security partner.

New: EU CAPTCHA – GDPR-compliant bot protection. Try it free for 3 months!

Home>

DORA (Digital Operational Resilience Act)

Paragraph sign in the middle of the Europe flag

DORA (Digital Operational Resilience Act)

The Digital Operational Resilience Act (DORA) is an EU regulation that requires financial companies and their IT service providers to maintain digital operational resilience. Since January 17, 2025, DORA has been binding across all EU member states.

Protect yourself now with Myra DDoS Protection

At one look

1. What is DORA?
2. Why was DORA introduced?
3. What are the objectives of DORA?
4. Who is affected by the DORA regulation?
5. What are the core requirements of DORA?
6. What does DORA compliance mean in practice?
7. How does Myra Security help with DORA compliance?

What is DORA?

The financial sector is one of the most highly digitalized industries and therefore one of the most attractive targets for cybercriminals. Operational IT incidents affecting cross-border financial service providers can destabilize not just a single company, but entire sub-sectors. With the DORA Regulation, the EU has responded to this growing threat landscape and created a uniform legal framework for DORA IT security and digital resilience in the financial sector.

The Digital Operational Resilience Act (DORA) is officially EU Regulation (EU) 2022/2554. It has been in force since January 17, 2023, and is intended to ensure that banks, insurance companies, investment firms, and other financial institutions can withstand, respond to, and recover from ICT disruptions – such as cyberattacks or system failures – as quickly as possible.

The DORA regulation establishes, among other things, uniform requirements for ICT risk management, incident reporting, security testing, and the handling of external IT service providers. The goal is to make the European financial sector more resilient to cyberattacks and digital disruptions.

Why was DORA introduced?

Before DORA, risk management regulations for financial institutions in the EU focused primarily on ensuring that firms had sufficient capital to cover operational risks. While some EU regulators issued guidelines on ICT and security risk management, these did not apply equally to all financial firms and were often based on general principles rather than specific technical standards.

In the absence of EU-wide ICT risk management rules, member states adopted their own requirements. This patchwork of regulations was difficult for financial firms to navigate.

DORA harmonizes national regulations on the security of IT systems in the financial sector, thereby strengthening the European financial market as a whole against cyber risks and ICT incidents. DORA also provides financial firms operating across borders with legal clarity regarding digital resilience requirements.

What are the objectives of DORA?

The overall and absolute objective of DORA is to address ICT risks more comprehensively and to strengthen the operational resilience of digital systems in the EU financial sector. The DORA regulation intends to

ensure that financial entities assess the effectiveness of their prevention and resilience measures and identify their ICT vulnerabilities in order to make such risks more manageable.
provide financial supervisory authorities with access to information on ICT-related incidents in order to improve their knowledge of the current threat situation.
strengthen the outsourcing regulations for the indirect supervision of ICT third-party service providers.
allow direct supervision of the activities of ICT third-party providers when they offer services to financial entities.
incentivize the exchange of information about cyber threats in the financial sector.

Who is affected by the DORA regulation?

The DORA regulation applies to all financial firms regulated at the EU level. Even companies that do not provide financial services themselves but act as IT service providers for the financial sector may fall under the DORA regulation. Those affected include:

Credit institutions and banks
Insurance and reinsurance companies
Investment firms and trading venues
Payment service providers and electronic money institutions
Management companies and rating agencies
Critical ICT third-party providers such as cloud service providers, data center operators, and managed security providers

In accordance with the principle of proportionality, differences in business models, size, risk profiles, or systemic importance should be taken into account when establishing the core requirements in the various areas of activity. For example, smaller financial firms are required to implement less extensive measures for incident reporting and stress testing than large institutions.

What are the core requirements of DORA?

1. ICT risk management

The board of directors bears overall responsibility for the ICT risk management framework
Business functions and the supporting information resources that represent potential sources of ICT risk must be identified, classified, and documented
ICT systems must be continuously monitored and protected
Abnormal activities and vulnerabilities must be detected immediately
Companies must have contingency plans for business continuity and recovery
Organizations must develop a crisis communication plan

2. ICT incident reporting

Financial institutions must establish and implement a structured incident management process
ICT incidents must be classified and categorized
Major incidents must be reported to the competent supervisory authority within specified timeframes – using standardized reporting templates

3. Digital operational resilience testing

Companies must conduct a comprehensive resilience testing program for ICT systems, processes, and tools at least once a year
Certain financial institutions are required to conduct threat-based penetration tests (TLPT) at least once every three years

4. Management of ICT third-party risk

Third-party risk must be systematically integrated into the ICT risk management framework
A mandatory risk assessment must be conducted before the contract is signed
Contracts with ICT service providers must include clearly defined rights and obligations, including audit, termination, and withdrawal rights
Concentration risks (e.g., excessive dependency on a single provider) must be avoided

5. Information sharing

DORA enables and promotes the voluntary exchange of threat intelligence between financial institutions
This includes indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), as well as cybersecurity alerts

How does DORA differ from existing regulations?

Many requirements of the DORA regulation are familiar from existing regulation frameworks such as EBA guidelines, MaRisk, or BAIT. However, DORA goes beyond these in several areas:

Existing Frameworks

DORA Requirement

ICT risk management

EBA guidelines, MaRisk, BAIT

Third-party oversight

Limited

Penetration testing

Recommended

Incident reporting

Varies by country

Scope of application

Mostly national

ICT risk management

Extended requirements, board-level responsibility explicitly defined

Third-party oversight

Supervisory framework for critical ICT third-party providers by the European Supervisory Authorities (ESAs)

Penetration testing

Mandatory every 3 years (TLPT) for certain institutions

Incident reporting

Harmonized EU-wide reporting standards and deadlines

Scope of application

Uniform across the entire EU

Area

Existing Frameworks

DORA Requirement

ICT risk management	EBA guidelines, MaRisk, BAIT	Extended requirements, board-level responsibility explicitly defined
Third-party oversight	Limited	Supervisory framework for critical ICT third-party providers by the European Supervisory Authorities (ESAs)
Penetration testing	Recommended	Mandatory every 3 years (TLPT) for certain institutions
Incident reporting	Varies by country	Harmonized EU-wide reporting standards and deadlines
Scope of application	Mostly national	Uniform across the entire EU

What does DORA compliance mean in practice?

DORA compliance means that a company demonstrably fulfils all five requirement areas of the regulation. This is not a one-time task, but an ongoing process. The key steps include:

Gap analysis: Compare existing ICT processes against DORA requirements
Build a risk register: Document all ICT assets and dependencies
Review third-party providers: Update contractual agreements, carry out risk classification
Develop an incident response plan: Define reporting deadlines and responsibilities
Establish a testing program: Schedule regular security tests and penetration tests
Conduct training: Raise employee awareness of DORA-relevant processes

How does Myra Security help with DORA compliance?

As a security service provider regulated by DORA, Myra Security meets all technical, procedural, and contractual requirements associated with DORA regulation. Our customers benefit from fully certified and audited solutions and processes. These directly address the technical security requirements of DORA IT Security:

Myra DDoS Protection: Fully automated protection against volumetric attacks — your services stay available even under active attack
Myra Web Application Firewall (WAF): Protection against malicious access and vulnerability exploits in web applications
Myra Bot Management: Detection and mitigation of malicious bots using individual bot fingerprints
Myra DNS: Reliable protection for name resolution, e.g., against DNS hijacking
Myra CDN: High-performance, highly available content delivery for maximum uptime

Learn more about DORA compliance with Myra

FAQ: Frequently asked questions about DORA

DORA stands for Digital Operational Resilience Act. It is a binding EU regulation that requires financial companies and their ICT service providers to maintain digital operational resilience.

About the author

Björn Greif

Senior Editor

About the author

Björn started his career as an editor at the IT news portal ZDNet in 2006. 10 years and exactly 12,693 articles later, he joined the German start-up Cliqz to campaign for more privacy and data protection on the web. It was then only a small step from data protection to IT security: Björn has been writing about the latest trends and developments in the world of cybersecurity at Myra since 2020.

Made in Germany.

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions

DORA (Digital Operational Resilience Act)

At one look

What is DORA?

Why was DORA introduced?

What are the objectives of DORA?

Who is affected by the DORA regulation?

What are the core requirements of DORA?

1. ICT risk management

2. ICT incident reporting

3. Digital operational resilience testing

4. Management of ICT third-party risk

5. Information sharing

How does DORA differ from existing regulations?

What does DORA compliance mean in practice?

How does Myra Security help with DORA compliance?

FAQ: Frequently asked questions about DORA

What does DORA stand for?

What does DORA stand for?

Is DORA a directive or a regulation?

Is DORA a directive or a regulation?

When did DORA take effect?

When did DORA take effect?

Which companies are affected by DORA?

Which companies are affected by DORA?

What is the difference between DORA and NIS-2?

What is the difference between DORA and NIS-2?

What happens if a company fails to comply with DORA?

What happens if a company fails to comply with DORA?

How can financial companies implement DORA IT security?

How can financial companies implement DORA IT security?

About the author

About the author